Do schools need to appoint a data protection officer?

Finding a qualified DPO is arguably one of the GDPR’s hardest requirements, but is it something that schools need to be concerned about?

The EU GDPR (General Data Protection Regulation) contains particularly strong requirements for protecting children’s data. These can be seen most clearly in the rules surrounding the appointment of a DPO (data protection officer).

The DPO requirement applies to all public authorities, which means all schools must find a qualified individual to fill the position.

The DPO responsibilities

DPOs are tasked with monitoring an organisation’s application of the GDPR. This includes:

  • Advising staff on their data protection responsibilities;
  • Monitoring the organisation’s data protection policies and procedures;
  • Advising management on whether DPIAs (data protection impact assessments) are necessary;
  • Serving as the point of contact between the organisation and its supervisory authority; and
  • Serving as a point of contact for individuals on privacy matters.

A full list of the DPO’s responsibilities are outlined in Article 39 of the GDPR.

Finding a suitable DPO

A prospective DPO doesn’t need to be a lawyer, but they must have a good understanding of data protection law. They also need to be familiar with information security technology as well as how to implement and manage data protection programmes.

A DPO should also have strong communication skills, as they will interact regularly with senior staff, employees and regulators.

There are no formal qualifications that a DPO must have, but anyone who takes on the role should enrol on a GDPR practitioner training course or DPO training course.

Organisations have many options when it comes to appointing a DPO. They can hire a new employee, appoint someone internally (either full time or part time alongside their existing duties) or outsource the position.

The method you choose will depend on your resources and the amount of data your organisation processes. For organisations that have limited data processing activities, such as schools, the DPO’s tasks will be minimal. As such, it might be more time- and cost-effective to outsource the role.

Outsource your DPO with IT Governance

With our DPO as a service for schools, you can outsource all your DPO requirements to us. One of our data protection experts will perform all the necessary tasks, working with you to understand your organisation and its compliance requirements.

The service provides: